We index data from about 2000 different hosts. logs are relayed in via a TCP syslog source.
Whenever a user goes to the search application, it takes a good 20+ seconds to load all the summary dada, such as Events Indexed" and all of the counts for each source & host.
Is there any way to edit this page or speed up this search or used cached results on a 5 minute schedule or something like that? The lag really gives an impression of system slowness on this very first page. 😕
I had the same problem. My solution was to remove the searches from the summary page, which was a big improvement.
I had the same problem. My solution was to remove the searches from the summary page, which was a big improvement.
The searches run from the summary page are metadata searches. These should run very quickly. The comparable search queries would be:
| metadata type=hosts
| metadata type=sources
| metadata type=sourcetypes
Each of the above searches should only take a few seconds to return. It is possible that you have a performance problem that is causing these searches to run slowly. In that case, I recommend you contact support to help debug the problem.
If you are in a distributed search environment, it is possible that the remote peers are taking a while to return data. Splunk will wait to compile all of the results from each indexer before painting the page.